DIDEROT: An Intrusion Detection and Prevention System for DNP3-based SCADA Systems

Transcript

1. Mobile social media refers to the combination of mobile devices

   and social media. This is a group of mobile marketing applications that allow the creation and exchange of user. John Smith DIDEROT An I ntrusion Detection and Prevention System for DNP3 -based SCADA Systems Panagiotis Radoglou -Grammatikis University of Western Macedonia [email protected] “

2. Co-Authors George Efstathopoulos 0Infinity Limited Paris-Alexandros Karypidis Antonios Sarigiannidis Sidroco

   Holdings Panagiotis Radoglou-Grammatikis Panagiotis Sarigiannidis University of Western Macedonia

3. Introduction • In the era of hyper-connected digital economies, the

   smart technologies play a vital role in the operation of the electrical grid, transforming it into a new. • This new reality introduces severe cybersecurity issues due to insecure, legacy protocols. • This paper presents an ML- based IDPS called DIDEROT which is capable of detecting cyberattacks and anomalies against DNP3.

4. DIDEROT Contributions DIDEROT relies on network flow statistics, including two

   detection layers: a) intrusion detection and b) anomaly detection. Intrusion Detection relies on supervised ML detection methods and is responsible for recognising particular DNP3 cyberattacks: a) injection, b) flooding, c) DNP3 reconnaissance, d) replay attacks and e) masquerading. Anomaly detection is activated when the first layer classifies a network flow as normal. Thus, the second layer undertakes to identify whether a DNP3 anomaly takes place either due to a security violation or a possible electricity disturbance. To this end, the DIDEROT autoencoder was developed. DIDEROT takes full advantage of SDN in order to mitigate the DNP3 cyberattacks/anomalies. Detecting DNP3 cyberattacks DIDEROT can detect a plethora of DNP3 cyberattacks by using supervised ML detection methods and particularly a decision tree classifier. Detecting DNP3 anomalies DIDEROT can recognise DNP3 anomalies that take place either due to a security violation or an electricity disturbance. An autoencoder Deep Neural Network (DNN) was developed for this purpose called DIDEROT Autoencoder ML Methods Evaluation Various ML methods were assessed, using real DNP3 netdatawork traffic originating from a substation environment Mitigating DNP3 cyberattacks/anomalies Based on the DIDEROT detection results, DIDEROT takes full advantage of SDN in order to mitigate timely the DNP3 cyberattacks and anomalies.

5. 2019 Relevant Survey Papers Panagiotis I Radoglou- Grammatikis and Panagiotis

   G Sarigiannidis. 2019. Securing the smart grid: A comprehensive compilation of intrusion detection and prevention systems. IEEE Access 7 (2019), 46595– 46620. 2017 Deterministic dendritic cell algorithm application to smart grid cyber-attack detection O. Igbe et al. 2020 IEEE 1815.1-Based Power System Security With Bidirectional RNN- Based Network Anomalous Attack Detection for Cyber- Physical System. S. Kwon et al. 2016 LARGen: automatic signature generation for Malwares using latent Dirichlet allocation. S. Lee et al. 2019 Toward an Applied Cyber Security Solution in IoT- Based Smart Grids: An Intrusion Detection System Approach X, Chun et al. 2019 Operational Data Based Intrusion Detection System for Smart Grid G. Efstathopoulos. et al. IDPS for Smart grid and DNP3 SCADA Systems Related Work

6. Background • DNP3 SCADA Systems: Overview of DNP3 and relevant

   attacks • Typical IDPS Architecture: Main components of a typical IDPS system. • Detection Techniques: Overview of the detection techniques • ML Detection: Overview of ML-based detection methods.

7. DNP3 PROTOCOL DNP3 is a reliable protocol adopted in Critical

   Infrastructures, mainly in the US. In a SCADA system, DNP3 is used to exchange messages between a master (i.e., MTU) and outstation or differently slave (i.e., PLC or RTU). Several topologies: a) point-to-point, b) multiple-drop and c) hierarchical. Three layers: y, a) link layer, b) transport layer and c) application layer. DNP3 can operate over TCP/IP where all DNP3 layers are incorporated into the application layer of TCP/IP Flooding DNP3 Reconnaissance DNP3 DoS, where the cyberattacker floods the target with multiple DNP3 packets Masquerading Replay Injection DNP3 SCADA Systems It refers to DNP3 packets sent to the target system to identify whether it uses DNP3 or not. It captures legitimate DNP3 packets and re- transmit them after a specific delay. Impersonates the DNP3 behaviour of the legitimate asset The cyberattacker injects malicious DNP3 packets.

8. Three Main Components Based on the RFC 2828, intrusion detection

   is defined as the process aiming to audit and investigate security events in order to recognise a possible security policy violation. In 1980, the IDS term was introduced as a hardware or software system capable of automating the intrusion detection process. In particular, in 1980, J. Anderson highlighted the significance of the log files during an intrusion detection procedure. Another remarkable case is the paper of D. Denning, who defined a theoretical IDS model based on abstract feature patterns. According to D. Denning, if a system cannot operate based on its specifications, then it has been probably affected by a threat. Agents Agents undertake to monitor the examined infrastructure, thus collecting and sometimes pre-processing the necessary data for the detection process. Analysis Engine Analysis Engine is the core component of an IDS, which receives the information of the various Agents and implements the intrusion detection process. Response Module The Response Module notifies the responsible operator. It can perform automate mitigation processes. Typical IDPS Architecture

9. 2 ANOMALY-BASED DETECTION SPECIFICATION-BASED DETECTION 3 SIGNATURE-BASED DETECTION 1 The

   anomaly-based detection applies statistical analysis and Artificial Intelligence (AI) methods. The specification-based detection defines a set of rules called now specifications that define the normal operation of the monitored system/infrastructure. If the characteristics of the monitored data do not agree with those of the specifications, then a security violation is carried out. The signature-based detection defines specific rules called signatures that reflect malicious patterns. If the characteristics of the monitoring data match with those of the signatures, then a possible security violation takes place. Detection Techniques

10. Preprocessing Prediction Training Three Main Steps ML Detection Preprocessing Processes

    appropriately the input data so that it will be in accordance with the corresponding ML model. Usually, data-preprocessing methods are applied, such as min-max scaling, normalisation, standardisation, robust scaler and max abs scaler Training Supervised detection methods, unsupervised/oulier detection methods and semi-supervised/novelty detection methods Prediction The ML model can be deployed in order to predict unknown data after the execution of the same pre-processing tasks of the first phase

11. DIDEROT • DIDEROT Architecture: a) Data Monitoring Module, b) DIDEROT

    Analysis Engine, c) Response Module • DIDEROT Autoencoder: capable of detecting DNP3 anomalies • DIDEROT Evaluation: Evaluation Environment, Dataset, Comparison with other ML models

12. Security Events based on the AlienVault OSSIM format; It informs

    the SDN Controller (Ryu) to drop the malicious DNP3 flows Response Module It monitors the network traffic and feeds the DIDEROT Analysis Engine with network flows statistics. Tools: Tshark, CICFlowMeter. Preprocessing: Min_Max Scaler. = −min() max −min() Data Monitoring Module First Detection Layer - Intrusion Detection: Decision Tree Classifier. Multiclass Classification (Injection, Flooding, DNP3 Reconnaissance, Replay, Masquerading ) Second Detection Layer - Anomaly Detection: DIDEROT Autonecoder DIDEROT Analysis Engine DIDEROT Architecture T h e e M a i n C o m p o n e n t s

13. Anomalies are detected by measuring the reconstruction error L(x,x’) and

    comparing it with a threshold T, classifying all operational data samples y with L(y, g(f(y))) > T as anomalies. T is estimated heuristically based on the reconstruction error L of all normal training data samples. The threshold T in order to be more robust is selected to be a large percentile of the reconstruction error T = p0.9(L(x, x’)| x ∈ X) or if a validation dataset is available is selected to maximise the performance for the validation data. DIDERROT Autoencoder maps input data ∈ = ℝ to an output x’ ∈ X. It consists of an encoder f : X → Z and a decoder g : Z → X, each implemented as a deep neural network. The encoder and decoder together result the output x’ = g(f(x)). The low-dimensional latent representation of x is obtained from the encoder and is defined as z = f(x) ∈ Z = Rm (m << n). DIDERROT Autoencoder avoids to become an identity function and the training process aims to minimise the reconstruction error L(x, x’). DIDEROT Autoencoder

14. DIDEROT Evaluation Evaluation Flow Emulated substation environment equipped with real

    industrial devices such as RTUs, IEDs. Via SPAN, the Data Monitoring Module can receive the overall DNP3 traffic, extracting the normal network flow statistics. Normal DNP3 Flows First Detection Layer – Intrusion Detection: Balanced, labelled dataset composed of both normal and DNP3 cyberattack flows Second Detection Layer – Anomaly Detection: The training dataset includes only normal flows. The testing dataset includes both normal and abnormal flows. The labels of the abnormal flows are characterized as “Anomaly” Datasets Creation = + + + + = + = + 1 = 2×× + where = + Evaluation N. Rodofile et al. Framework for SCADA cyber-attack dataset creation. Malicious DNP3 Flows Flow Duration, TotLen Fwd Pkts, Fwd Pkt Len Mean. Fwd Pkt Len Mean, Bwd Pkt Len Std, Flow IAT Std, Bwd Pkts/s, Subflow Bwd Pkts, Init Bwd Win Bytes, Active Mean Feature Selection

15. 20 40 60 80 100 0.910 0.997 0.89 0.907 0.893

    0.864 0.722 0.798 0.911 0.931 Logistic Regression LDA SVM RBF SVM Linear Random Forest MLP AdaBoost Quadratic Discriminant Analysis Decision Tree Naïve Bayes Accuracy First DIDEROT Detection Layer – Intrusion Detection

16. 20 40 60 80 100 0.731 0.991 0.688 0.722 0.680

    0.592 0.166 0.396 0.733 0.793 Logistic Regression LDA SVM RBF SVM Linear Random Forest MLP AdaBoost Quadratic Discriminant Analysis Decision Tree Naïve Bayes TPR First DIDEROT Detection Layer – Intrusion Detection

17. 0 3 6 10 20 0.053 0.001 0.062 0.055 0.063

    0.081 0.166 0.120 0.053 0.041 Logistic Regression LDA SVM RBF SVM Linear Random Forest MLP AdaBoost Quadratic Discriminant Analysis Decision Tree Naïve Bayes FPR First DIDEROT Detection Layer – Intrusion Detection

18. 20 40 60 80 100 0.731 0.991 0.688 0.722 0.680

    0.592 0.166 0.396 0.733 0.793 Logistic Regression LDA SVM RBF SVM Linear Random Forest MLP AdaBoost Quadratic Discriminant Analysis Decision Tree Naïve Bayes F1 Score First DIDEROT Detection Layer – Intrusion Detection

19. Aggregate Comparative Results First DIDEROT Detection Layer – Intrusion Detection

20. 40 50 60 90 100 0.951 0.997 0.89 0.946 0.942

    0.5 0.950 DIDEROT Autoencoder Isolation Forest PCA LOF MCD Accuracy Second DIDEROT Detection Layer – Anomaly Detection

21. 40 50 60 90 100 1 0.997 0.89 1 1

    0 1 DIDEROT Autoencoder Isolation Forest PCA LOF MCD TPR Second DIDEROT Detection Layer – Anomaly Detection

22. 0 5 10 15 20 0.097 0.997 0.89 0.107 0.114

    0 0.098 DIDEROT Autoencoder Isolation Forest PCA LOF MCD FPR Second DIDEROT Detection Layer – Anomaly Detection

23. 40 50 60 90 100 0.953 0.997 0.89 0.949 0.945

    0 0.953 DIDEROT Autoencoder Isolation Forest PCA LOF MCD F1 Score Second DIDEROT Detection Layer – Anomaly Detection

24. Aggregate Comparative Results Second DIDEROT Detection Layer – Anomaly Detection

25. Conclusions The technological leap of the smart grid demands appropriate

    security measures. The presence of timely and accurate IDPS is necessary. In this paper, we presented an IDPS for the DNP3 protocol called DIDEROT. DIDEROT relies on ML- based detection techniques, thus detecting DNP3 attacks and anomalies Future Plans: Association rules that will combine the two detection layers of DIDEROT; intrusion detection mechanisms for other industrial protocols, such as Profinet, EtherCAT and IEC 60870-5-104

26. Thank You Questions ? Thank You & Q /A C

    o n t a c t u s p r a d o g l o u @ u o w m . g r h t t p : / / w w w . s d n m i c r o s e n s e . e u / h t t p s : / / g r. l i n k e d i n . c o m / i n / p a n a g i o t i s r g h t t p s : / / w w w . y o u t u b e . c o m / c h a n n e l / U C 5 x p U N p Q Q 6 e A Q v c 5 J p n W W G w